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Call for Views: Code of Practice for the use of 1c0 
personal information in political campaigns ° 


Information Commissioner's Office 


The ICO’s new Code of Practice for the use of personal information in 
political campaigns will draw from our current Guidance on Political 
Campaigning, but will be fully updated to ensure it reflects the current 
Data Protection Act 2018 and GDPR requirements. It will also be widened 
to cover areas where our investigation found significant concerns or 
misunderstandings of the law. In addition, it will provide guidance and 
good practice recommendations to aid compliance. 


You can read the full background and legal basis for the production of this 
code on our website. 


Responses to this call for views must be received by 11.59pm on Friday 
21 December 2018 


If you would like further information on the call for views please 
telephone 0303 123 1113 and ask to speak to the Parliament and 
Government Affairs Department about the call for views on a new Code of 
Practice for the use of personal information in political campaigns or email 
politicalcampaigning@ico.org.uk. 


Privacy statement 

For this call for views we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 


Call for Views: Code of Practice for the use of 
personal information in political campaigns 


Q1 Do you agree with our understanding of ‘political campaigning’ and 
what processing should be covered by the code? 


Byes 
[ ]No 


Please explain further: 


Open Rights Group agrees with the definition provided on the Call for Views page: 


Activity, which relates to elections or referenda, in support of, or against, a political party, a 
referendum campaign or a candidate standing for election. 


Open Rights Group would like to emphasise that this definition is different to the definition in the 
existing definition in the existing political campaigning guidance: 


Activity in support of, or against, a political party, a referendum campaigner, or a candidate 
standing for election. (para 2 page 2) 


The proposed definition is wider than that of the existing guidance, which is welcome. The 
previous guidance, read strictly, could be construed as only applying to activity in support of or 
against particular individuals or groups, rather than issues at stake in a referendum. In the varied 


campaigning environment, campaigns are run, not in support of an individual candidate, but 
issues. For instance, Britain Stronger in Europe and Vote Leave were never campaigning for a 
particular campaigner in the referendum on the United Kingdom’s membership of the European 
Union, but for ideas and issues within a referendum. 


Modern political campaigning comprises multiple different actors, and multiple different 
approaches. Campaigning is not about supporting a candidate or party’s position but is more 
splintered and multifarious. This does not mean responsibility is watered down or diffuse, it 
means that more actors are responsible for processing activities during campaigns and as a result 
more actors are subject to the Data Protection Act 2018. This is an important reflection to make 
and the ICO should ensure the definition reflects that change in the nature of campaigns to 
include activity in support of, or against the ideals of an organisation or campaign in elections and 
referenda. 


Call for Views: Code of Practice for the use of 
personal information in political campaigns 


Q2 Should the code apply to other data controllers in the political 
campaigning process, beyond registered political parties, electoral 
candidates, referendum permitted participants and third party 
campaigners? Eg data controllers processing personal data on behalf of 
political campaigns, parties or candidates. 


| ie 
[_] No 


Please explain further: 


The code should apply to: 

- Data controllers processing personal data on behalf of political parties or campaigns (e.g. 
Facebook, Google, Twitter who provide space to advertise based on users personal data). 
Data processors processing personal data on behalf of political campaigns under contract 
(e.g. AIQ) 
Data brokers who sell data to political parties or campaigners for political campaigning 
purpose (for example, Lifecycle Management Marketing). 
Data controllers sharing their data for political campaigning purposes (e.g. Eldon 
Insurance sharing data with Leave.EU) 


As well as the different bodies that PPERA 2000 applies to (registered political parties, 
referendum permitted participants, and third- party campaigners). 


In particular the Information Commissioner’s Office should pay close to attention to groups that 


operate as unregistered campaigners that may not be registered with the Electoral Commission. 
For instance, during the EU referendum BeLeave were an unregistered campaign group (neither 
lead campaigner nor third party campaigner) according to the Electoral Commission. They ran 
advertisements and shared the same personal data as Vote Leave to identify audiences and select 
targeting criteria, and contracted with Aggregate IQ in a common plan with Vote Leave. While the 
Information Commissioner found no evidence of misuse of personal data, BeLeave were a data 
controller and participant in a political campaign, while not being a “referendum permitted 
participant” or “third party campaigner” yet the code should still apply to such an organisation. 


Q3 Who should the code also be aimed at ie data brokers, analytical 
companies, online platforms? (List as many as you think are applicable) 


Data controllers processing personal data on behalf of political parties or political 
campaigners (e.g. Facebook, Google, Twitter who provide space to advertise based on 
users personal data). 

Data processors processing personal data on behalf of political campaigns under contract 
(e.g. Aggregate IQ) 

Data brokers who sell data to political parties or campaigners for political campaigning 
purpose (for example, Lifecycle Management Marketing). 

Data analytics firms performing work on behalf of political parties or campaigners for 
political campaigning purpose. 

Data controllers sharing personal data for political campaigning purposes. 


It is important not to be construed as an exhaustive list. If an actor or individual aims to 
participate in an election or referendum for a particular outcome or particular policy, with the 
aim to convince individuals to vote in a particular way or participate, or even not participate, in 
the electoral process should have the code applied to them. 


Call for Views: Code of Practice for the use of 
personal information in political campaigns 


We propose the code will include the following broad topic areas: 

- The role of data controllers in the political campaigning ecosystem; 

- Transparency requirements in practice; 

- Accountability, security and data minimisation requirements; 

- Lawful bases including the new ‘democratic engagement’ aspect of the 
‘public interest’ 

basis in the Data Protection Act 2018; 

- Using special category data; 

- The use of personal data from the Electoral Register; 

- Data collection directly from individuals; 

- Using personal data collected by third parties; 

- Personal data analytics; 

- Direct marketing including the application of the Privacy and Electronic 
Communications 

Regulations; 

- Online advertising and the use of social media; 

- Post political campaign/election considerations. 


Q4 Do you agree with the proposed topics? 


Byes 
[ ]No 


Please explain further: 


Yes, covering new conditions would be useful. They have not appeared in guidance or 
jurisprudence previously, such as processing special category data if it is necessary “for an activity 
that supports or promotes democratic engagement” - section 8(e) of the DPA 2018, and also the 
Schedule 1 Part 2 Section 22 condition of processing by political parties. 


In particular the standards of substantial damage or substantial distress under Subsection 2 of 
Schedule 1. Part 2 Section 22, that would mean the conditions were not met. It should be kept in 
mind in mind that research cited by the Information Commissioner’s Office in the previous 
guidance on political campaigning has talked about certain marketing as ‘distressing’ (page 14 
and page 17). Similar reflections would be important to include in the updated guidance. 


These other areas reflect the various uses personal data is put to in modern political campaigning, 
in comparison with the previous guidance which was mostly focused on mailouts and direct 
communications. 


The challenge faced is that the models developed for commercial advertising, and in some cases 
the data collected for that purpose, are being used in political campaigning. This includes data 
matching, forming custom or lookalike audiences, data enhancement, using information held by 
data brokers and credit reference agencies. It is important the ICO ensures the code recognises 
those practices and addresses the different responsibilities and limitations that use of personal 
data for political campaigning purposes attract. 


Call for Views: Code of Practice for the use of 
personal information in political campaigns 


4c Is there anything we have not listed that ought to be included? 
Yes 


mg 


Please specify: 


Q4b What topic areas in particular ought to be covered in the most detail? 


An explanation of when the Commissioner considers processing that reveals political beliefs to 
have taken place. 


Are there some categories of Lookalike audiences that could be formed by social media 
companies that would be considered processing revealing political beliefs? 

Where data analytics of non-sensitive data can infer “sensitive data” (such as political 
opinions), what protections do those inferences attract and what responsibilities do the 
data controllers and processors have regarding the legal bases for processing? 


Transparency requirements in practice: 


What information should be immediately available to individuals when they receive a 
political marketing advertisement? 

Proactive disclosure of the source of the data when not collected directly from the 
person. 


The role and effect of purpose limitation in data protection in the electoral context. Referring to 
the European Data Protection Board’s guidance on the application of Union data protection law 


in the electoral context page 6: 


Data collected for one purpose can only be further processed for a 

compatible purpose; otherwise a new legal ground, provided for by the General Data 

Protection Regulation, such as consent, has to be found for the processing for the new 

purpose. In particular, when lifestyle data brokers or platforms collect data for 
commercial 

purposes, that data cannot be further processed in the electoral context. 


With regard to social media platforms, whether there should be a distinction between the 
political advertising uses of the personal data they hold, and the commercial advertising uses. 


The use of data from the electoral register and what analytics, or matching is legitimate to 
perform on that data, if any. 
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Q5 What do you think should be covered in the new code of practice that 
isn't covered in current political campaigning guidance? 


Guidance and responsibilities of the various actors that now play a role in the electoral context 
that were not included in the current political campaigning guidance, including but not limited to: 
- data analytics platforms; 

- social media companies; 

- data brokers; 

- permitted referendum participants; 

- third-party participants; and 

- unregistered groups using data for political campaigning purposes. 


Q6 What factors ought to be taken into account regarding the particular 
circumstances of different types of election or referenda? 


It may not be about factors between different types of election or referenda but more pertinent the 
code takes into account the factors between commercial use of personal data and political use of 
personal data. 


The effect in these circumstances are not whether or not a person buys a product but whether a 
person votes for a particular party, on a particular issue, or even votes at all. 
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Q7 Please state any case studies or scenarios you would like to see 
included in the code? 


Data minimisation in political campaigning. 


Examples of the new lawful bases for processing sensitive data in the Data Protection Act 2018. 


Transparency standards in practice. 


Examples of automated decision-making in the electoral context that would be considered to 
have a “sufficiently significant affect” on an individual. 


What form provision of information should take to a user of the source of data when the 
controller has not collected the data directly from the individual (e.g. political parties advertising 
using data collected by data brokers). 


The use of social media platforms to construct look-a-like audiences using sensitive personal data 
such as political beliefs, breaking down the responsibilities and the bases for processing that need 
to be in place. 


Q8 Please state any examples of guidance, tools or good practice you 
have encountered that could aid compliance in this area, and could be 
included in the code. 
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Q9 Name and contact details: 


_ = 


Q10 Are you responding: 
a In your own capacity? 
On behalf of an organisation 
Please describe your role and your organisation: 


BE © pen Rights Group. 


